S21SEC [DCS17CTF] – Somalia

During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated.

Somalia – 800 points

They provide us with a pcapng capture with DNS queries IN A from IPv6 host. This queries were of type Standard Query 0x000 A with some random hexadecimal [hex-host].des. I’ve been working around the idea of some kind of cipher due “.des” domain termination and after trying some others weird methods (hex->ascii, hex-unxor) that produces nothing.

Another problem was that UDP source ports appears with strange range (0,117 random) and probably we need to sort in order to get some good outputs. My initial tries produce nothing with unordered streams by udp source ports. So if I was right need to reorder source ports, ‘guess’ cipher key and finally decipher flag. Let’s start.

Solution 1: tshark to the rescue

A quickly way to sort those udp source ports that will output only hexadecimal strings of our streams was:

Ok, we have all data with correct (asumption) order but what about key for DES-ECB (asumption) cipher. We can try with some data inside the pcap because guessing was too difficult to try and we have a constant field on all the streams: IPv6 field c7:3f:1d:b9:a2:4:4a:ff.

Notice is key is 15 bytes and we need a 16-bytes one for decipher ecb-des, so padding left with ‘0’ that ‘alone’ 4. We have all to make our first script to solve the task in our initial assumption.